

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>加密 &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/_sphinx_javascript_frameworks_compat.js"></script>
        <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/doctools.js"></script>
        <script src="../../_static/sphinx_highlight.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="桶策略" href="../bucketpolicy/" />
    <link rel="prev" title="LDAP 认证" href="../ldap-auth/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../../" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="../">Ceph 对象网关</a></li>
      <li class="breadcrumb-item active">加密</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../../_sources/radosgw/encryption.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../" class="icon icon-home"> Ceph
          

          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Ceph 对象网关</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../frontends/">HTTP 前端</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite/">多站配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../zone-features/">域的功能</a></li>
<li class="toctree-l2"><a class="reference internal" href="../placement/">存储池归置与存储类</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite-sync-policy/">多站同步策略配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pools/">存储池的配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config-ref/">配置参考</a></li>
<li class="toctree-l2"><a class="reference internal" href="../admin/">管理指南</a></li>
<li class="toctree-l2"><a class="reference internal" href="../account/">用户账户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3/">S3 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../iam/">IAM API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rgw-cache/">数据缓存和 CDN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../swift/">Swift API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../adminops/">管理操作 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../api/">Python 接口</a></li>
<li class="toctree-l2"><a class="reference internal" href="../nfs/">通过 NFS 导出</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keystone/">与 OpenStack Keystone 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../barbican/">与 OpenStack Barbican 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vault/">与 HashiCorp Vault 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kmip/">与 KMIP 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../opa/">与 Open Policy Agent 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multitenancy/">多租户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../compression/">压缩</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ldap-auth/">LDAP 认证</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">服务器端加密</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id2">客户提供的密钥</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id3">密钥管理服务</a></li>
<li class="toctree-l3"><a class="reference internal" href="#sse-s3">SSE-S3</a></li>
<li class="toctree-l3"><a class="reference internal" href="#api">桶加密 API</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id4">自动化加密（仅用于测试）</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../bucketpolicy/">桶策略</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dynamicresharding/">动态的桶索引重分片</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mfa/">多因子认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sync-modules/">同步模块</a></li>
<li class="toctree-l2"><a class="reference internal" href="../notifications/">Bucket Notifications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../layout/">RADOS 中的数据布局</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STS/">STS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STSLite/">STS Lite</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keycloak/">Keycloak</a></li>
<li class="toctree-l2"><a class="reference internal" href="../session-tags/">Session Tags</a></li>
<li class="toctree-l2"><a class="reference internal" href="../role/">Role</a></li>
<li class="toctree-l2"><a class="reference internal" href="../orphans/">Orphan List and Associated Tooliing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../oidc/">OpenID Connect Provider</a></li>
<li class="toctree-l2"><a class="reference internal" href="../troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw/">radosgw 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw-admin/">radosgw-admin 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../qat-accel/">使用 QAT 为加密和压缩提速</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3select/">S3-select</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lua-scripting/">Lua Scripting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../d3n_datacache/">D3N Data Cache</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-transition/">Cloud Transition</a></li>
<li class="toctree-l2"><a class="reference internal" href="../metrics/">Metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../uadk-accel/">UADK Acceleration for Compression</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucket_logging/">桶的日志记录</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../monitoring/">监控概览</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../hardware-monitoring/">硬件监控</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <section id="id1">
<h1>加密<a class="headerlink" href="#id1" title="Permalink to this heading"></a></h1>
<div class="versionadded">
<p><span class="versionmodified added">New in version Luminous.</span></p>
</div>
<p>配置好 3 个加密密钥管理选项， Ceph 对象网关可支持在服务器端加密上传的对象。
服务器端加密的含义是，通过 HTTP 发出的数据是未加密的，
但是 Ceph 对象网关在 Ceph 存储集群中存储的却是加密数据。</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>服务器端加密的请求必须通过安全的 HTTPS 连接发送，以免用明文发送密钥信息。
如果用代理作为 SSL 终结，要让转发的请求被认为是可信的，
必须先启用 <code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">trust</span> <span class="pre">forwarded</span> <span class="pre">https</span></code> 。</p>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>服务器端加密密钥必须是 256 位长、且用 base64 编码过。</p>
</div>
<section id="id2">
<h2>客户提供的密钥<a class="headerlink" href="#id2" title="Permalink to this heading"></a></h2>
<p>在此模式下，客户端的每个请求都需要传递加密密钥，用以读取或写入已加密数据。
管理那些加密密钥是客户端的责任，而且得记住加密各对象时分别用了哪个密钥。</p>
<p>这是根据 <a class="reference external" href="https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html">Amazon SSE-C</a> 标准在 S3 里实现的。</p>
<p>因为所有密钥管理事务都是客户端处理的，所以要支持这种加密模式不需要 Ceph 做什么特殊的配置。</p>
</section>
<section id="id3">
<h2>密钥管理服务<a class="headerlink" href="#id3" title="Permalink to this heading"></a></h2>
<p>在此模式下，管理员把密钥存储在一个安全的密钥管理服务中，
并可以让 Ceph 对象网关按需索取密钥，
然后用于加密或解密所要请求的数据。</p>
<p>这是根据 <a class="reference external" href="http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html">Amazon SSE-KMS</a> 标准在 S3 里实现的。</p>
<p>原则上，这里可以用任何密钥管理服务，但现在只实现了与 <a class="reference external" href="https://wiki.openstack.org/wiki/Barbican">Barbican</a>
、 <a class="reference external" href="https://www.vaultproject.io/docs/">Vault</a> 和 <a class="reference external" href="http://www.oasis-open.org/committees/kmip/">KMIP</a> 的对接。</p>
<p>参见<a class="reference external" href="../barbican">与 OpenStack Barbican 对接</a> 、 <a class="reference external" href="../vault">与 HashiCorp Vault 对接</a>和<a class="reference external" href="../kmip">与 KMIP 对接</a>。</p>
</section>
<section id="sse-s3">
<h2>SSE-S3<a class="headerlink" href="#sse-s3" title="Permalink to this heading"></a></h2>
<p>This makes key management invisible to the user.  They are still stored
in Vault, but they are automatically created and deleted by Ceph and
retrieved as required to serve requests to encrypt
or decrypt data.</p>
<p>This is implemented in S3 according to the <a class="reference external" href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html">Amazon SSE-S3</a> specification.</p>
<p>In principle, any key management service could be used here.  Currently
only integration with <a class="reference external" href="https://www.vaultproject.io/docs/">Vault</a>, is implemented.</p>
<p>见 <a class="reference external" href="../vault">与 HashiCorp Vault 对接</a>.</p>
</section>
<section id="api">
<h2>桶加密 API<a class="headerlink" href="#api" title="Permalink to this heading"></a></h2>
<p>桶加密 API （Bucket Encryption API ）是为了支持用基于 Amazon S3 管理的密钥
（SSE-S3）或者 AWS KMS 客户主密钥（SSE-KMS）的服务器端加密。
通过 BucketEncryption API 的 SSE-KMS 实现还不支持。</p>
<p>见 <a class="reference external" href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html">PutBucketEncryption</a>, <a class="reference external" href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html">GetBucketEncryption</a>, <a class="reference external" href="https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html">DeleteBucketEncryption</a> 。</p>
</section>
<section id="id4">
<h2>自动化加密（仅用于测试）<a class="headerlink" href="#id4" title="Permalink to this heading"></a></h2>
<p>在 ceph.conf 里配置 <code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">crypt</span> <span class="pre">default</span> <span class="pre">encryption</span> <span class="pre">key</span></code> 可以强制加密所有对象，包括那些没有指定加密模式的对象。</p>
<p>这个配置选项只接受 base64 编码的 256 位密钥，例如：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">rgw</span> <span class="n">crypt</span> <span class="n">default</span> <span class="n">encryption</span> <span class="n">key</span> <span class="o">=</span> <span class="mi">4</span><span class="n">YSmvJtBv0aZ7geVgAsdpRnLBEwWSWlMIGnRS8a9TSA</span><span class="o">=</span>
</pre></div>
</div>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>此模式仅用于诊断目的！ Ceph 配置文件不是存储加密密钥的
安全之处，以此途径不小心泄露的密钥应该被当作被攻破的。</p>
</div>
</section>
</section>



<div id="support-the-ceph-foundation" class="admonition note">
  <p class="first admonition-title">Brought to you by the Ceph Foundation</p>
  <p class="last">The Ceph Documentation is a community resource funded and hosted by the non-profit <a href="https://ceph.io/en/foundation/">Ceph Foundation</a>. If you would like to support this and our other efforts, please consider <a href="https://ceph.io/en/foundation/join/">joining now</a>.</p>
</div>


           </div>
           
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="../ldap-auth/" class="btn btn-neutral float-left" title="LDAP 认证" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="../bucketpolicy/" class="btn btn-neutral float-right" title="桶策略" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).</p>
  </div>

   

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>